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I. REAL PARTY IN INTEREST 

The real party in interest is the assignee, Intel Corporation. 

II. RELATED APPEALS AND INTERFERENCES 

There are no related appeals or interferences known to the appellants, the 
appellants' legal representative, or assignee, which will directly affect or be directly 
affected by or have a bearing on the Board's decision in the pending appeal. 

III. STATUS OF CLAIMS 

Claims 1 -80 are pending in the application. Claims 1-80 of the present application 
remain rejected. The Applicants hereby appeal the rejection of claims 1-80. 

IV. STATUS OF AMENDMENTS 

The Applicants filed an amendment on February 28, 2005, in response to a Final 
Office Action issued by the Examiner on January 1 1 , 2005. In response to the February 
28, 2005 amendment, the Examiner issued an Advisory Action on March 17, 2005. The 
Applicants filed a Nofice of Appeal on April 11, 2005. 

V. SUMMARY OF CLAIMED SUBJECT MATTER 
1. Independent claims 1. 21. 4K and 61 : 

One embodiment of the present invention is a technique to perform remote 
attestation by a an attestation key memory (AKM) device to attest an isolated execution 
mode' and to prove validity of a program loaded into an isolated memory area using an 
isolated digest stored in a digest memory^. 

A computer system 100 includes a processor 1 10, a host bus 120, a memory 
controller hub (MCH) 1 30, a system memory 140, an input/output controller hub (ICH) 
150, a non-volatile memory, or system flash, 160, a mass storage device 170, input/output 



' See Specification, page 16, lines 9-15. 
^ See Specification, page 14, lines 6-13. 
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devices 175, a token bus 180, a motherboard (MB) token 182, a reader 184, and a token 
186^. The computer system 100 operates in an isolated execution architecture. The 
isolated execution architecture includes logical and physical definitions of hardware and 
software components that interact directly or indirectly with an operating system of the 
computer system or platform"*. A logical operating architecture 50 is an abstraction of the 
components of an operating system and the processor. The logical operating architecture 
50 includes ring-0 10, ring-1 20, ring-2 30, ring-3 40, and a processor nub loader 52. The 
processor nub loader 52 is an instance of a processor executive (PE) handler. The logical 
operating architecture 50 has two modes of operation: normal execution mode and isolated 
execution mode. Each ring in the logical operating architecture 50 can operate in both 
modes. The processor nub loader 52 operates only in the isolated execution mode^. 

Ring-0 10 includes two portions: a normal execution Ring-0 1 1 and an isolated 
execution Ring-0 15. The normal execution Ring-0 1 1 includes software modules that are 
critical for the operating system, usually referred to as kernel. The isolated execution 
Ring-0 1 5 includes an operating system (OS) nub 16 and a processor nub 1 8. The OS nub 
16 and the processor nub 18 are instances of an OS executive (OSE) and processor 
executive (PE) that operate in a secure environment associated with the isolated area 70 
and the isolated execution mode. The processor nub loader 52 is a protected bootstrap 
loader code held within a chipset in the system and is responsible for loading the processor 
nub 1 8 fi"om the processor or chipset into an isolated area^. 

An isolated region is created in the system memory, referred to as an isolated area, 
which is protected by both the processor and chipset in the computer system. Access to 
this isolated region is permitted only fi-om a front side bus (FSB) of the processor, using 
special bus (e.g., memory read and write) cycles, referred to as isolated read and write 
cycles. The isolated execution mode is initialized using a privileged instruction in the 
processor, combined with the processor nub loader 52. The processor nub loader 52 
verifies and loads a ring-0 nub software module (e.g., processor nub 18) into the isolated 

* 7 

area. The processor nub 18 provides hardware-related services for the isolated execution . 
One task of the processor nub loader 52 and processor nub 18 is to verify and load the 

^ See Specification, page 9. lines 10-16; Figure IC. 
^ See Specification, page 5, lines 10-13. 

^ See Specification, page 5, lines 26-27; page 6, lines 1-9; Figure 1 A. 
^ See specification, page 6, lines 10-22. 
^ See Specification, page 7, lines 1-14. 
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ring-0 OS nub 16 into the isolated area, and to generate the root of a key hierarchy unique 

Q 

to a combination of the platform, the processor nub 1 8, and the operating system nub 16 . 

The processor 110 includes a normal execution mode 1 12 and an isolated execution 
circuit 115. The normal execution mode 1 1 2 is the mode in which the processor 1 1 0 
operates in a non-secure environment, or a normal environment without the security 
features provided by the isolated execution mode. The isolated execution circuit 115 
provides a mechanism to allow the processor 1 10 to operate in an isolated execution mode. 
The isolated execution circuit 1 1 5 provides hardware and software support for the isolated 
execution mode such as configuration for isolated execution, definition of an isolated area, 
definition (e.g., decoding and execution) of isolated instructions, generation of isolated 
access bus cycles, and access checking^. 

The ICH 150 has a number of functionalities that are designed to support the 
isolated execution mode in addition to the traditional I/O functions. In particular, the ICH 
1 50 includes an isolated bus cycle interface 152, the processor nub loader 52, a digest 
memory 154, a cryptographic key storage 155, an isolated execution logical processor 
manager 156, and a token bus interface 159*^. 

The processor nub loader 52 includes a processor nub loader code and its digest 
(e.g., cryptographic hash) value. The processor nub loader 52 is invoked by execution of 
an appropriate isolated instruction (e.g., Iso_Init) and is transferred to the isolated area 70. 
From the isolated area 80, the processor nub loader 52 copies the processor nub 18 from 
the system flash memory (e.g., the processor nub code 18 in non- volatile memory 160) into 
the isolated area 70, verifies and logs its integrity, and manages a symmetric key used to 
protect the processor nub's secrets* ^ . 

The digest memory 154, typically implemented in RAM, stores the digest (e.g., 
cryptographic hash) values of the loaded processor nub 1 8, the operating system nub 16, 
and any other supervisory modules (e.g., ring-0 modules) loaded into the isolated 
execution space. The cryptographic key storage 1 55 holds a symmetric 
encryption/decryption key that is unique for the platform of the system 100. The isolated 
execution logical processor manager 156 manages the operation of logical processors 
configuring their isolated execution mode support. The token bus interface 1 59 interfaces 

^ See Specification, page 7, lines 15-18. 

^ See Specification, page 10,lines 3-13; Figure IC (reference 1 10), 
See Specification, page 13, lines 2-7; Figure IC (reference 150). 
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to the token bus 1 80. A combination of the processor nub loader digest, the processor nub 
digest, the operating system nub digest, and optionally additional digests, represents the 
overall isolated execution digest, referred to as isolated digest. The isolated digest is a 
fingerprint identifying the all supervisory code involved in controlling the isolated 
execution configuration and operation. The isolated digest is used to attest the state of the 
current isolated execution and to prove the validity of the software loaded into the isolated 
area*^. 

The token bus 1 80 provides an interface between the ICH 1 50 and various tokens 
in the system. A token is a device that performs dedicated input/output functions with 
security functionalities. A token has characteristics similar to a smart card, including at 
least one reserved -purpose public/private key pair and the ability to sign data with the 
private key. Examples of tokens connected to the token bus 1 80 include a motherboard 
token 182, a token reader 184, and other portable tokens 186 (e.g., smart card). The token 
bus interface 1 59 in the ICH 150 connects through the token bus 1 80 to the ICH 1 50 and 
ensures that when commanded to prove the state of the isolated execution, the 
corresponding token (e.g., the motherboard token 182, the token 186) signs only valid 

1 T 

isolated digest information . 

The remote attestation is performed by the AKM operating in a remote manner 
with respect to the MCH 130 and the ICH 1 50. The AKM device contains one or more 
key pair and may be inserted into the platform by the end user needed to perform the 
attestation'"^. 

An interface maps a device (e.g., the AKM device) via a bus (e.g., the token bus 
180) to an address space of a chipset (e.g., the ICH 1 50) in a secure environment for an 
isolated execution mode. A communication storage corresponding to the address space 
allows the device to exchange security information with the at least one processor in the 
isolated execution mode in a remote attestation' ^ 

The token bus interface 159 includes an interface 210, a communication storage 
220, and a chipset storage 270. The interface 210 provides an interface between an external 
device (e.g., the tokens 1 86) coupled to the token bus 1 80 and the chipset (e.g., the ICH 

" See Specification, page 13, lines 10-21. 
See specification, page 13, lines 21-29; page 14, lines 1-13. 
See Specification, page 15, lines 23-28; page 16, lines 1-7. 
See Specification, page 16, lines 9-21. 
See Specification, page 17, lines 9-16. 
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150). The communication storage 220 is mapped to the address space and allows the 
device 1 86 to exchange security information with the chipset 1 50 or the processor 110^^. 

2. Dependent claims 6-19. 26-39, 46-59, and 66-79: 

The communication storage 220 includes a configuration storage 230, a status 
register 240, a command register 250, and an input/output block (lOB) 260. The 
configuration storage 230 stores configuration information 232. The status register 240 
stores device status 242. The command register 250 stores device command 252. The 
lOB 260 stored input data 262 and output data 264^^ 

The chipset storage 270 stores chipset information such as the system digest in the 
digest memory 154 (Figure IC). In particular, the chipset storage 270 includes a processor 
nub loader hash 272, a chipset hash log 274, a software hash 276, and a nonce 278. The 
processor nub loader hash 272 and the chipset hash log 274 can be read directly by the 
AKM device 1 86. The software hash 276 and the nonce 278 are provided by the processor 
nub 18^^ 

The configuration storage 230 includes a manufacturer identifier 310, a revision 
identifier 320, an interface set identifier 330, a static public key 340, and a static key 
certificate 350^^. The manufacturer identifier 3 1 0 identifies the manufacturer of the AKM 
device 1 86. The revision identifier 320 provides a revision number of the AKM device 
1 86. The interface set identifier 330 identifies the interface set that is supported by the 
device 1 86. The static public key 340 is a public key with a short key identification. The 
key certificate 350 is a key certificate with a short key identification^^. The interface set 
identified by the interface set identifier 330 identifies may include an initialization set 360, 
an attestation set 370, and a device interface set 380. For a typical remote attestation, the 
initialization set 360 is needed. The initialization set 360 may be hard-coded and is used to 
reset and initialize the device. The initialization set 360 includes an idle state 362, a reset 
command 364, a connect command 366, and a reserved operation 368. The idle state 362 
indicates that the device is not performing any meaningful operation and is idle. The reset 



See Specification page 17, lines 17-24; page 1 8, lines 3-5; Figure 2. 
See Specification page 18, lines 5-10; Figure 2 (reference 220). 
See Specification page 1 8, lines 11-19; Figure 2 (reference 270) 
See Specification page 1 8, lines 20-1 8; Figure 3. 
See Specification page 19, lines 1-6. 
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command 364 causes the device to reset and perform a self-test operation. The connect 
command 366 sets the connect bit in the status register 240 . 

The attestation set 370 includes a signing operation 372, a public key enumeration 
374, and a key certificate enumeration 376. The signing operation 372 provides the remote 
attestation to verify the validity of the platform running a particular software in the secure 
environment. The public key enumeration 374 enumerates any additional public keys that 
are not part of the static configuration information 232. The key certificate enumeration 
376 enumerates any additional key certificates that are not part of the static configuration 
information 232 . 

The signing operation 372 includes a hash function 410 and a cryptographic 
function 420. The hash function 410 performs hashing on the processor nub loader hash 
272, the chipset hash log 274, the software hash 276, and the nonce 278. The result of this 
hashing operation is then encrypted by the cryptographic function 420 using the private 
key 280 stored in the chipset. The result of the encryption becomes the output data 264 to 
be stored in the lOB 260. When the signing operation 372 is complete, the processor nub 
1 8 retrieves the result fi*om the lOB 260^\ 

The status register 240 includes a self-test field 51 0, a connection field 520, an 
estimate field 530, and a reserved field 540. The self-test field 510 provides a result of the 
self-test operation in response to the reset command. The connection field 520 indicates 
that the device is responsive to the connect command. The estimate field 530 provides an 
estimate in some time unit (e.g., milliseconds) to indicate how long a current operation is 
expected to take^"*. 

VL GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

1. Claims 1-5, 20-25, 40-45, 60-65 and 80 stand rejected under 35 U.S.C. §102(e) 
as being anticipated by U.S. Patent No. 6,327,652 issued to England et al. 
(" England "). 



^' See Specification page 19, lines 7-19. 

See specification page 10, lines 20-27. 
^' See Specification page 20, lines 14-23; Figure 4. 

See Specification page 20, lines 24-27; page 21, lines 1-9; Figure 5. 
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2. Claims 6-19, 26-39, 46-59, and 66-79 stand rejected under 35 U.S.C. §103(a) as 
being unpatentable over England in view of U.S. Patent No. 4,3 19,323 issued to 
Ermolovich (" Ermolovich "). 

VIL ARGUMENTS 

A. Claims 1-5, 20-25. 40-45. 60-65 and 80 Are Not Anticipated by England. 

In the Final Office Action, the Examiner rejected claims 1-5, 20-25, 40-45, 60-65 
and 80 under 35 U.S.C. § 102(e) as being anticipated U.S. Patent No. 6,327,652 issued to 
England et al. (" England "). Applicants respectfully traverse the rejection and contend that 
the Examiner has not met the burden of establishing a prima facie case of anticipation. 

To anticipate a claim, the reference must teach every element of the claim. "A 
claim is anticipated only if each and every element as set forth in the claim is found, either 
expressly or inherently described, in a single prior art reference." Vergegaal Bros, v. 
Union Oil Co. of California . 814 F.2d 628, 631, 2 USPQ 2d 1051, 1053 (Fed. Cir. 1987). 
"The identical invention must be shown in as complete detail as is contained in 
the.. .claim." Richardson v. Suzuki Motor Co. , 868 F.2d 1226, 1236, 9 USPQ 2d 1913, 
1920 (Fed. Cir. 1989). 

England discloses loading and identifying a digital rights management operating 
system (DRMOS). Upon power up, a boot loader loads a boot block for a particular 
operating system. Code in the boot block then loads various drivers and other software 
components necessary for the OS to function on the computer (England, col. 1 1, lines 38- 
45). Once all components are loaded, the OS assumes its identity. A one-way hashing 
function provided by the CPU is used to create a cryptographic digest of all the loaded 
components. The digest becomes the identity for the OS (England, col. 12, lines 53-58). 
The DRMOS must provide a secure storage space to protect content permanently stored on 
the computer by securely storing private keys or session keys for use with encrypted 
content (England, col. 16, lines 50-55). 

England does not disclose, either expressly or inherently, (1) a digest memory to 
store an isolated digest as recited in claims 1,21,41, and 61, (2) a device to attest the 
isolated execution mode and prove validity of a program loaded into the isolated memory 
area as recited in claims 1, 21, 41, and 61, (3) a secure environment for an isolated 
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execution mode as recited in claims 1,21,41, and 61 , (4) a processor operating in one of a 
normal execution mode and the isolated execution mode as recited in claims 1, 21, 41, and 
61 , (5) the isolated digest includes at least a digest of one of a processor nub loader, a 
processor nub, an operating system nub, and a supervisory module loaded in an isolated 
execution space as recited in claims 2, 22, 42, and 62, (6) an interface to map the device to 
an address space of a chipset in the secure environment as recited in claims 3, 23, 43, and 
63, and (5) a communication storage to exchange security information w^ith the processor 
in the isolated execution mode as recited in claims 3, 23, 43, and 63. 

The Examiner states that the isolated execution mode is interpreted as a mode in 
which other applications or other unauthorized areas of memory cannot access ( Final 
Office Action , page 3). The Examiner further states that the function of preventing access 
to a memory while a certain application is running can be interpreted as isolated execution 
mode because access is prohibited while the trusted application is running in the DRMOS 
( Final Office Action , page 3). Applicants respectfully disagree for the following reasons. 

Claims should be interpreted consistently with the specification, which provides 
content for the proper construction of the claims because it explains the nature of the 
patentee's invention. See Renishaw P.L.C. v. Marposs Societa Per Azioni , 158 F.3d 1243 
(Fed. Cir. 1998). During patent examination, the pending claims must be "given the 
broadest reasonable interpretation consistent with the specification". See MPEP 2111. 
Here, the isolated memory area and the isolated execution mode should be interpreted 
according to the specification, and not by an arbitrary interpretation. The isolated 
execution mode is characterized by a number aspects that are not disclosed in England . 
These aspects include, among other things, division of rings into normal execution ring and 
isolated execution ring, OS nub, processor nub, processor nub loader, isolated memory 
area, isolated execution unit, etc. 

England merely discloses creating identities for different versions of a digital right 
management operating system (DRMOS) ( England , col. 11, lines 18-20). The totality of 
the boot block and the loaded components make up the identity of the operating system 
(England, col. 11, lines 44-46). England does not disclose an isolated memory area. 
England merely discloses checks the signature of a component before loading it ( England , 
col. 1 1 , lines 53-54). There is no distinction between an isolated memory area and a 
normal memory area. 
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In addition, England merely discloses using a one-way hashing function provided 
by the CPU to create a cryptographic digest of all the loaded components and use it as the 
identity of the operating system ( England , col. 12, lines 54-58). This is not the same as the 
digest memory that stores the digest values of the loaded processor nub, the operating 
system nub, and other supervisory modules loaded into the isolated execution space (See, 
for example, Specification, page 13, lines 21-24). 

Furthermore, England merely discloses a CPU running in a normal mode, not in 
one of a normal execution mode and an isolated execution mode. When the computer is 
turned on, the CPU executes a boot loader to load a boot block for a particular operating 
system ( England , col. 11, lines 38-42). In contrast, the isolated execution mode provides a 
secure environment to the platform. The security features are provided by a number of 
operations. The isolated execution mode is initialized using a privilege instruction and a 
processor nub loader (See, for example, Specification, page 7, lines 9-11). The isolated 
execution mode is supported by an isolated execution circuit including configuration for 
isolated execution, definition of an isolated area, definition (e.g., decoding and execution) 
of isolated instructions, etc. (See, for example. Specification, page 10, lines 7-13). 

First, as argued above, claims have to be interpreted according to specification. 
Claim terms are presumed to have the ordinary and customary meanings attributed to them 
by those of ordinary skill in the art. Sunrace Roots Enter. Co. v. SRAM Corp., 336 F.3d 
1298, 1302, 67 USPQ2d 1438, 1441 (Fed. Cir.2003). The ordinary and customary 
meaning of a term may be evidenced by a variety of sources, Brookhill-Wilk L LLC v. 
Intuitive Surgical Inc. , 334 F.3d 1294, 1298, 67 USPQ2d 1 132, 1 136 (Fed. Cir. 2003), 
including: the claims themselves; dictionaries and treatises, Tex. Digital Svs., Inc. v. 
Telegenix, Inc. , 308 F.3d 1 193, 1202, 64 USPQ2d 1812, 1818 (Fed. Cir, 2002); and the 
written description, the drawings, and the prosecution history, DeMarini Sports, Inc. v. 
Worth, Inc. , 239 F.3d 1314, 1324, 57 USPQ2d 1889, 1894 (Fed. Cir. 2001). Here, the 
term "isolated execution mode" refers to a mode where the execution is isolated. The term 
"isolated" defined by the Riverside Webster's II, New College Dictionary, published by 
Houghton Mifflin Company, in 1995, as: (1) set apart from a group or whole, and (2) 
placed in quarantine. Therefore, "isolated execution mode" is an mode in which the 
execution is set apart from the normal execution. This ordinary meaning does not simply 
involve preventing access to a memory. 
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Second, an applicant is entitled to be his or her own lexicographer and may rebut 
the presumption that claim terms are to be given their ordinary and customary meaning by 
clearly setting forth a definition of the term that is different from its ordinary and 
customary meaning(s). In re Paulsen , 30 F.3d 1475, 1480, 31 USPQ2d 1671, 1674 (Fed. 
Cir. 1994). Where an explicit definition is provided by the applicant for a term, that 
definition will control interpretation of the term as it is used in the claim. Toto Co. v. 
White Consolidated Industries Inc. , 199 F.3d 1295, 1301, 53 USPQ2d 1065, 1069 (Fed. 
Cir. 1999). Here, applicants defined the term "isolated execution mode" and "normal 
execution mode" at several places in the specification (See, for example, page 6, lines 6- 
24, page 10, lines 3-13; page 11, lines 12-22). In particular, an isolated execufion mode 
and a normal execution mode may occupy the same ring in a logical operating architecture. 
The isolated execution mode is supported by a number of hardware and software elements 
such as a processor nub, a processor nub loader, OS nub, isolated read/write cycles, etc. 

In light of the above. Applicants believe that independent claims 1, 21, 41, and 61, 
and their respective dependent claims are not anticipated by England . 

B. Claims 6-19, 26-39. 46-59. and 66-79 Are Not Obvious over Eneland in 
view of Ermolovich 

In the Final Office Action, the Examiner rejected claims 6-19, 26-39, 46-59, and 
66-79 under 35 U.S.C. § 103(a) as being unpatentable over England in view of U.S. Patent 
No. 4,319,323 issued to Ermolovich (" Ermolovich "). Applicants respectfully traverse the 
rejection and contend that the Examiner has not met the burden of establishing a prima 
facie case of obviousness. 

To establish a prima facie case of obviousness, three basic criteria must be met. 
First, there must be some suggestion or motivation, either in the references themselves or 
in the knowledge generally available to one of ordinary skill in the art, to modify the 
reference or to combine reference teachings. Second, there must be a reasonable 
expectation of success. Finally, the prior art reference (or references when combined) 
must teach or suggest all the claim limitations. MPEP §2143, p. 2100-129 (8th Ed,, rev. 2, 
May 2004). Applicants respectfully contend that there is no suggestion or motivation to 
combine their teachings, and thus no prima facie case of obviousness has been established. 
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England discloses loading and identifying a digital rights management operating 
system as discussed above. 

Ermolovich discloses a communications device for data processing system. A 
device status is built and inserted into a packet as a status longv^ord before inserting a 
command packet into a termination queue ( Ermolovich. col. 85, lines 37-41). The device 
status contains the status of a communication device after the communication device 
processes a command packet ( Ermolovich , col. 13, lines 37-43). A command interpreter 
transfers contents of a command field to a command register in an external device 
( Ermolovich . col. 12, lines 2-6). The communication device may directly write to or read 
from buffers in the data block and command block ( Ermolovich , col. 7, lines 54-58). 

England and Ermolovich , taken alone or in any combination, do not disclose, 
suggest, or render obvious (1) a communication storage to exchange security information 
with the processor in the isolated execution mode, (2) a status register to store device status 
of the device, (3) a command register to store a device command for a command interface 
set; and (4) an input/output block (lOB) to store input and output data corresponding to the 
command. 

There is no motivation to combine England and Ermolovich because neither of 
them addresses the problem of isolated execution. There is no teaching or suggestion that 
a digest memory, a device to attest isolated execution mode, and a processor having normal 
and isolated execution modes is present. England , read as a whole, does not suggest the 
desirability of attesting an isolated execution mode, or proving validity of a program, or a 
configuration storage in a communication storage corresponding to an address space for an 
isolated execution mode. England does not disclose or suggest an isolated execution mode 
as discussed above. Ermolovich merely discloses status word in a command packet for a 
communication device, not a configuration storage for an isolated execution mode. 
Ermolovich merely discloses a state to initiate a data transfer. In this state, a command 
interpreter is enabled to transfer the contents of the command field to a command register 
in the external device ( Ermolovich , col. 12, lines 2-6). As noted above, the command 
register here is used only for communication devices and data transfers, not to allow the 
attestation key memory device to exchange security information with at least one 
processor. The Examiner further states that Ermolovich discloses an input/output block to 
store input and output data and cites column 71, lines 40-64 ( Final Office Acfion , page 6). 
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However, the cited paragraph merely discloses a data block and command block which 
contain buffers to/from which the communication device directly writes/reads 
f Ermolovich , col. 71, lines 54-59). This is not the same as input and output data 
corresponding to the command used in exchanging security information and corresponding 
to an address space of a chipset in a secure environment. 

The Examiner failed to establish a prima facie case of obviousness and failed to 
show there is teaching, suggestion or motivation to combine the references. "When 
determining the patentability of a claimed invention which combined two known elements, 
'the question is whether there is something in the prior art as a whole suggest the 
desirability, and thus the obviousness, of making the combination.'" In re Beattie, 
Lindemann Maschinenfabrik GmbH v. American Hoist & Derrick Co. . 730 F.2d 1452, 
1462, 221 USPQ (BNA) 481, 488 (Fed. Cir. 1984). "To support the conclusion that the 
claimed invention is directed to obvious subject matter, either the references must 
expressly or implicitly suggest the claimed invention or the Examiner must present a 
convincing line of reasoning as to why the artisan would have found the claimed invention 
to have been obvious in light of the teachings of the references." Ex parte Clapp . 227 
USPQ 972, 973. (Bd.Pat.App.&Inter. 1985). 

In the present invention, the cited references do not expressly or implicitly suggest 
(1) a communication storage to exchange security information with the processor in the 
isolated execution mode, (2) a status register to store device status of the device, (3) a 
command register to store a device command for a command interface set; and (4) an 
input/output block (lOB) to store input and output data corresponding to the command. In 
addition, the Examiner failed to present a convincing line of reasoning as to why a 
combination of England and Ermolovich is an obvious application of attestation using an 
isolated digest and an isolated execution mode. 
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VIII. CONCLUSION 



Applicant respectfully requests that the Board enter a decision overturning the 
Examiner's rejection of all pending claims, and holding that the claims are neither 
anticipated nor rendered obvious by the prior art. 

Respectfully submitted, 

Blakely, Sokoloff, Taylor & Zafman LLP 



Dated: June 10, 2005 




Reg. No. 42,034 

12400 Wilshire Blvd., 7th Floor 
Los Angeles, CA 90025-1026 
(714) 557-3800 
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IX. CLAIMS APPENDIX 

The claims of the present appHcation which are involved in this appeal are as 
follows: 

1 . (previously presented) An apparatus comprising: 

a digest memory to store an isolated digest in a secure environment for an isolated 
execution mode, the secure environment being associated with an isolated memory area 
accessible by at least one processor, the at least one processor operating in one of a normal 
execution mode and the isolated execution mode; and 

an attestation key memory (AKM) device coupled to the digest memory to attest 
the isolated execution mode and prove validity of a program loaded into the isolated 
memory area using the isolated digest. 

2. (previously presented) The apparatus of claim 1 wherein the isolated digest 
includes at least a digest of one of a processor nub loader, a processor nub, an operating 
system nub, and a supervisory module loaded in an isolated execution space. 

3. (previously presented) The apparatus of claim 2 further comprising: 
an interface to map the device to an address space of a chipset in the secure 

environment; and 

a communication storage corresponding to the address space to allow the AKM 
device to exchange security information with the at least one processor, the security 
information including at least one of a static public key and a static key certificate. 

4. (original) The apparatus of claim 3 wherein the device accesses a chipset 
storage via the address space. 

5. (original) The apparatus of claim 4 wherein the communication storage 
comprises: 

a configuration storage to store device configuration information. 
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6. (original) The apparatus of claim 5 wherein the communication storage 
further comprises: 

a status register to store device status of the device; 

a command register to store a device command for a command interface set; and 
an input/output block (lOB) to store input and output data corresponding to the 
command. 

7. (original) The apparatus of claim 6 wherein the configuration storage 
comprises: 

a public key storage to store the static public key; 
a key certificate storage to store the static key certificate; and 
an interface set storage to store an interface set identifier, the interface set identifier 
identifying a command interface set supported by the device. 

8. (original) The apparatus of claim 7 wherein the configuration storage 
further comprises: 

a manufacturer identifier storage to store a manufacturer identifier; and 
a revision storage to store a revision identifier. 

9. (original) The apparatus of claim 7 wherein the command interface set is an 
initialization set, the initialization set supporting a reset command and a connect command. 

10. (original) The apparatus of claim 7 wherein the command interface set is an 
attestation set, the attestation set performing at least one of a public key enumeration, a key 
certificate enumeration, and a signing operation. 

1 1 . (original) The apparatus of claim 1 0 wherein the status register comprises: 
a connection field to provide a connection status to indicate that the device is 

responsive to the connect command; and 

an estimate field to provide an estimate of processing time for an operation 
specified in the command. 
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12. (original) The apparatus of claim 1 1 wherein the status register further 
comprises: 

a self-test field to indicate status of a self test in response to the reset command. 

13. (original) The apparatus of claim 10 wherein the public key enumeration 
enumerates an additional pubHc key other than the static public key. 

14. (original) The apparatus of claim 10 wherein the key certificate 
enumeration enumerates an additional key certificate other than the static key certificate. 

1 5. (original) The apparatus of claim 1 0 wherein the sign operation generates a 
signature to attest validity of the secure environment using a private key provided by the 
chipset. 

16. (original) The apparatus of claim 15 wherein the signature corresponds to 
signing a chipset parameter. 

1 7. (previously presented) The apparatus of claim 1 6 wherein the chipset 
parameter is one of a processor nub loader hash, a chipset hash log, a software hash, and a 
nonce. 

1 8. (previously presented) The apparatus of claim 1 7 wherein the processor 
nub loader hash and the chipset hash log are stored in the chipset storage. 

19. (previously presented) The apparatus of claim 1 8 wherein the software 
hash and the nonce are provided by a processor nub. 

20. (original) The apparatus of claim 3 wherein the device accesses a remote 
server via the address space. 

21 . (previously presented) A method comprising: 
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storing an isolated digest in a digest memory in a secure environment for an 
isolated execution mode, the secure environment being associated with an isolated memory 
area accessible by at least one processor, the at least one processor operating in one of a 
normal execution mode and the isolated execution mode; and 

attesting the isolated execution mode and proving validity of a program loaded into 
the isolated memory area using an attestation key memory (AKM) device and the isolated 
digest. 

22. (previously presented) The method of claim 21 wherein the isolated digest 
includes at least a digest of one of a processor nub loader, a processor nub, an operating 
system nub, and a supervisory module loaded in an isolated execution space. 

23. (previously presented) The method of claim 22 further comprising: 
mapping the AKM device to an address space of a chipset in the same 

environment; and 

exchanging security information between the AKM device and the at least one 
processor via a communication storage corresponding to the address space, the security 
information including at least one of a static public key and a static key certificate. 

24. (original) The method of claim 23 wherein the device accesses a chipset 
storage via the address space. 

25. (original) The method of claim 24 wherein exchanging comprises: 
storing device configuration information in a configuration storage. 

26. (original) The method of claim 25 wherein exchanging further comprises: 
storing device status of the device in a status register; 

performing a device command corresponding to a command interface set to a 
command register; and 

storing input and output data corresponding to the command in an input/output 
block (lOB). 
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27. (original) The method of claim 26 wherein storing in the configuration 
storage comprises: 

storing the static public key in a public key storage; 
storing the static key certificate in a key certificate storage; and 
storing an interface set identifier in an interface set storage, the interface set 
identifier identifying a command interface set supported by the device. 

28. (original) The method of claim 27 wherein storing in the configuration 
storage further comprises: 

storing a manufacturer identifier in a manufacturer identifier storage; and 
storing a revision identifier in a revision storage. 

29. (original) The method of claim 27 wherein performing the device 
command comprises performing a reset command and a connect command corresponding 
to an initialization set. 

30. (original) The method of claim 27 wherein performing the device 
command comprises performing at least one of a public key enumeration, a key certificate 
enumeration, and a signing operation, the public key enumeration, the key certificate 
enumeration, and the signing operation corresponding to an attestation set. 

3 1 . (original) The method of claim 30 wherein storing the device status 
comprises: 

providing a connection status to indicate that the device is responsive to the connect 
command; and 

providing an estimate of processing time for an operation specified in the 
command. 

32. (original) The method of claim 31 wherein storing the device status further 
comprises: 

indicating status of a self test in response to the reset command. 
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33. (original) The method of claim 30 wherein performing the public key 
enumeration comprises enumerating an additional public key other than the static public 
key. 

34. (original) The method of claim 30 wherein performing the key certificate 
enumeration comprises enumerating an additional key certificate other than the static key 
certificate. 

35. (original) The method of claim 30 wherein performing the sign operation 
comprises generating a signature to attest validity of the secure environment using a 
private key provided by the chipset. 

36. (original) The method of claim 35 wherein the signature corresponds to 
signing a chipset parameter. 

37. (previously presented) The method of claim 36 wherein the chipset 
parameter is one of a processor nub loader hash, a chipset hash log, a software hash, and a 
nonce. 

38. (previously presented) The method of claim 37 wherein the processor nub 
loader hash and the chipset hash log are stored in the chipset storage. 

39. (previously presented) The method of claim 38 wherein the software hash 
and the nonce are provided by a processor nub. 

40. (original) The method of claim 23 wherein the device accesses a remote 
server via the address space. 

41 . (previously presented) A computer program product comprising: 

a machine readable medium having program code embedded therein, the computer 
program product comprising: 

computer readable program code to store an isolated digest in a digest memory in a 
secure environment for an isolated execution mode, the secure environment being 
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associated with an isolated memory area accessible by at least one processor, the at least 
one processor operating in one of a normal execution mode and the isolated execution 
mode; and 

computer readable program code to attest the isolated execution mode and proving 
validity of a program loaded into the isolated memory area using an attestation key 
memory (AKM) device and the isolated digest, 

42. (previously presented) The computer program product of claim 41 wherein 
the isolated digest includes at least a digest of one of a processor nub loader, a processor 
nub, an operating system nub, and a supervisory module loaded in an isolated execution 
space. 

43. (previously presented) The computer program product of claim 42 wherein 
the computer program product further comprising: 

computer readable program code to map the AKM device to an address space of a 
chipset; and 

computer readable program code to exchange security information between the 
AKM device and the at least one processor via a communication storage corresponding to 
the address space, the security information including at least one of a static public key and 
a static key certificate. 

44. (original) The computer program product of claim 43 wherein the device 
accesses a chipset storage via the address space. 

45. (previously presented) The computer program product of claim 44 wherein 
the computer readable program code to exchange comprises: 

computer readable program code to store device configuration information in a 
configuration storage. 

46. (previously presented) The computer program product of claim 45 wherein 
the computer readable program code to exchange further comprises: 

computer readable program code to store device status of the device in a status 
register; 
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computer readable program code to perform a device command corresponding to a 
command interface set to a command register; and 

computer readable program code to store input and output data corresponding to 
the command in an input/output block (lOB). 

47. (previously presented) The computer program product of claim 46 wherein 
the computer readable program code to store in the configuration storage comprises: 

computer readable program code to store the static public key in a public key 
storage; 

computer readable program code to store the static key certificate in a key 
certificate storage; and 

computer readable program code to store an interface set identifier in an interface 
set storage, the interface set identifier identifying a command interface set supported by the 
device. 

48. (previously presented) The computer program product of claim 47 wherein 
the computer readable program code to store in the configuration storage further 
comprises: 

computer readable program code to store a manufacturer identifier in a 
manufacturer identifier storage; and 

computer readable program code to store a revision identifier in a revision storage. 

49. (previously presented) The computer program product of claim 47 wherein 
the computer readable program code to perform the device command comprises computer 
readable program code to perform a reset command and a connect command corresponding 
to an initialization set. 

50. (previously presented) The computer program product of claim 47 wherein 
the computer readable program code for to perform the device command comprises 
computer readable program code to perform at least one of a public key enumeration, a key 
certificate enumeration, and a signing operation, the public key enumeration, the key 
certificate enumeration, and the signing operation corresponding to an attestation set. 
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51 . (previously presented) The computer program product of claim 50 wherein 
the computer readable program code to store the device status comprises: 

computer readable program code to provide a connection status to indicate that the 
device is responsive to the connect command; and 

computer readable program code to provide an estimate of processing time for an 
operation specified in the command. 

52. (previously presented) The computer program product of claim 51 wherein 
the computer readable program code to store the device status further comprises: 

computer readable program code to indicate status of a self test in response to the 
reset command. 

53. (previously presented) The computer program product of claim 50 wherein 
the computer readable program code to perform the public key enumeration comprises 
computer readable program code to enumerate an additional public key other than the 
static public key. 

54. (previously presented) The computer program product of claim 50 wherein 
the computer readable program code to perform the key certificate enumeration comprises 
computer readable program code to enumerate an additional key certificate other than the 
static key certificate. 

55. (previously presented) The computer program product of claim 50 wherein 
the computer readable program code to perform the sign operation comprises computer 
readable program code to generate a signature to attest validity of the secure environment 
using a private key provided by the chipset. 

56. (original) The computer program product of claim 55 wherein the signature 
corresponds to signing a chipset parameter. 

57. (previously presented) The computer program product of claim 56 wherein 
the chipset parameter is one of a processor nub loader hash, a chipset hash log, a software 
hash, and a nonce. 
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58. (previously presented) The computer program product of claim 57 wherein 
the processor nub loader hash and the chipset hash log are stored in the chipset storage. 

59. (previously presented) The computer program product of claim 58 wherein 
the software hash and the nonce are provided by a processor nub. 

60. (original) The computer program product of claim 43 wherein the device 
accesses a remote server via the address space. 

61. (previously presented) A system comprising: 
an attestation key memory (AKM) device; 

at least one processor operating in a secure environment, the at least one processor 
having one of a normal execution mode and an isolated execution mode; 

a memory coupled to the at least one processor, the memory having an isolated 
memory area accessible to the at least one processor in the isolated execution mode; and 

a chipset coupled to the at least one processor and the memory, the chipset having a 
circuit, the circuit comprising: 

a digest memory to store an isolated digest used with the device to attest the 

isolated execution mode and prove validity of a program loaded into the isolated 

memory area. 

62. (previously presented) The system of claim 61 wherein the isolated digest 
includes at least a digest of one of a processor nub loader, a processor nub, an operating 
system nub, and a supervisory module loaded in an isolated execution space. 

63. (previously presented) The system of claim 62 wherein the circuit further 
comprises: 

an interface to map the device to an address space of the chipset; and 
a communication storage corresponding to the address space to allow the AKM 
device to exchange security information with the at least one processor, the security 
information including at least one of a static public key and a static key certificate. 
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64. (original) The system of claim 63 wherein the device accesses a chipset 
storage via the address space. 

65. (original) The system of claim 64 wherein the communication storage 
comprises: 

a configuration storage to store device configuration information. 

66. (original) The system of claim 65 wherein the communication storage 
further comprises: 

a status register to store device status of the device; 

a command register to store a device command for a command interface set; and 
an input/output block (lOB) to store input and output data corresponding to the 
command. 

67. (original) The system of claim 66 wherein the configuration storage 
comprises: 

a public key storage to store the static public key; 
a key certificate storage to store the static key certificate; and 
an interface set storage to store an interface set identifier, the interface set identifier 
identifying a command interface set supported by the device. 

68. (original) The system of claim 67 wherein the configuration storage further 
comprises: 

a manufacturer identifier storage to store a manufacturer identifier; and 
a revision storage to store a revision identifier. 

69. (original) The system of claim 67 wherein the command interface set is an 
initialization set, the inifialization set supporting a reset command and a connect command. 

70. (original) The system of claim 67 wherein the command interface set is an 
attestation set, the attestation set performing at least one of a public key enumeration, a key 
certificate enumeration, and a signing operation. 
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71 . (original) The system of claim 70 wherein the status register comprises: 
a connection field to provide a connection status to indicate that the device is 

responsive to the connect command; and 

an estimate field to provide an estimate of processing time for an operation 
specified in the command. 

72. (original) The system of claim 71 wherein the status register further 
comprises: 

a self-test field to indicate status of a self test in response to the reset command. 

73. (original) The system of claim 70 wherein the public key enumeration 
enumerates an additional public key other than the static public key. 

74. (original) The system of claim 70 wherein the key certificate enumeration 
enumerates an additional key certificate other than the static key certificate. 

75. (original) The system of claim 70 wherein the sign operation generates a 
signature to attest validity of the secure environment using a private key provided by the 
chipset. 

76. The system of claim 75 wherein the signature corresponds to signing a 
chipset parameter. 

77. (previously presented) The system of claim 76 wherein the chipset 
parameter is one of a processor nub loader hash, a chipset hash log, a software hash, and a 
nonce. 

78. (previously presented) The system of claim 77 wherein the processor nub 
loader hash and the chipset hash log are stored in the chipset storage. 

79. (previously presented) The system of claim 78 wherein the software hash 
and the nonce are provided by a processor nub. 
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80. (original) The system of claim 63 wherein the device accesses a remote 
server via the address space. 
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